Marriott has agreed to pay $52 million and to strengthen its
data security practices in settlements related to three data breaches dating back
to 2014.

The settlements announced today are two-fold: A resolution
with 49 U.S. States Attorneys General and the District of Columbia requires the
hospitality giant to pay $52 million to those entities. Separately, the Federal
Trade Commission will require Marriott and its subsidiary Starwood to implement
a “robust information security program.” Additionally the company has agreed to
provide all customers in the United States with a way to request deletion of
personal information associated with their email address or loyalty rewards
account number.

“Marriott’s poor security practices led to multiple breaches
affecting hundreds of millions of customers,” said Samuel Levine, director of
the FTC’s Bureau of Consumer Protection. 

“The FTC’s action today, in coordination with our state
partners, will ensure that Marriott improves its data security practices in
hotels around the globe.”

Connecticut co-led the multi-state case. Its attorney
general, William Tong, said, “Companies have an obligation to take reasonable
measures to protect consumer data security. Marriott clearly failed to do that,
resulting in the breach of the Starwood computer network and the exposure of
personal information for millions of its guests. This 50-state settlement,
co-led by Connecticut forces a strong system of risk-based protections to guard
against ever-evolving threats to cybersecurity. We will continue to work
closely with our multistate partners across the country to ensure companies are
taking all reasonable precautions to protect our personal information.”

Marriott announced plans to acquire Starwood in 2015 – and shortly
after Starwood notified customers it had experienced a 14-month long data
breach involving payment card information for more than 40,000 customers.

Once the $12.2 billion merger went through in 2016, Marriott
became responsible for the data security practices of both brands. Two years
later, in November 2018, Marriott
revealed it had identified what is now termed the second breach, which had
been begun in 2014 and involved the copying of information from about 340
million Starwood guests worldwide until it was discovered four years later.

According to the United States Federal Trade Commission, forensic
examiners determined this breach was due to “malicious actors” compromising
Starwood’s external-facing webserver and installing malware on its network. It
said the introducers installed “key loggers, memory-scraping malware and remote
access trojans” on more than 480 systems across 58 locations within Starwood’s
system, including corporate, data center, customer contact center and hotel
property locations.

Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.

Samuel Levine – FTC

Personal information stolen during this breach included more
than 5.25 million unencrypted passport numbers, payment card numbers, email
addresses, user names and dates of birth as well as Starwood loyalty numbers,
stay information, flight information and more. 

Marriott
reported the third breach in March 2020, when it said hackers used login
credentials of employees at a franchise property to gain access to Marriott’s
network.

The intruders began stealing information in September 2018 –
the same month the second breach was discovered – and continued until December 2018,
then resumed in January 2020 until they were discovered in February 2020.

During that time they accessed more than 5.2 million guest
records that the FTC said contained “significant amounts” of personal
information.

The FTC complaint alleges Marriott failed to do multiple
things, including implementing appropriate password control, patching outdated
software, monitoring network environments, implementing appropriate firewalls
and applying adequate multifactor authentication. 

The agreements with the FTC and the attorneys general
indicate that Marriott makes no admission of liability with respect to the
underlying allegations. Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries.